2 Answers
2

Here is where I've landed after two days of hacking. I welcome any feedback or criticism. If you identify a fundamental functional or security flaw with this approach, I'll paypal you enough cash for a pound of coffee or six-pack of beer.

I have selected Django as my 'modern web stack' for a foundational platform. I'll be leveraging it for security, account, session, and password management. I eagerly defer security-sensitive functionality to Django (i.e. following convention wherever possible). I do not shirk responsibility for security, but I believe informed consumption of an industry-vetted framework is inherently more secure than rolling your own. I selected Django primarily based on familiarity with and preference for Python, plus the framework's maturity.

Out of the box, Django has great support for account management and authentication. Of particular value is the great Django admin interface which lets a superuser reset passwords, disable accounts, etc. This is a huge value imho.

To support registration and account lifecycle management (password reset, etc), I went with the django-registration module:

This got me up and running with a full account management solution for web-usage, but (as mentioned above) I need an API-based solution for a mobile app. I don't want to persist the user password locally on the phone and I'd prefer to avoid managing session cookies in my API calls (a token approach is superior imho). I discovered this module:

For lack of more specific requirements, I would start by picking a modern web stack you had some familiarity with and riding it's built-in authentication back-end. You might need to roll a few services in front of it to manage some angles but you should be able to avoid crafting a real secured user management system.

Also keep in mind that while http basic auth isn't the perfect answer, http basic auth over ssl is a reasonable alternative until you've got something worth stealing.